Is it safe to reboot a server open to the internet?

security boot networking internet centos

Solution 1:

Out of the box, you are guaranteed that iptables will start before the interface is brought up by the order of the startup scripts. Look at the "chkconfig" line in each startup script and you will see the runlevels it is "on" when active, the start order, and the stop order.

You are not guaranteed that the interface will not be brought up if the iptables ruleset was not applied properly (or at all).

Example:
chkconfig: 2345 08 92
This line states that the service in question will be active in runlevels 2, 3, 4, and 5, and will start at 8 and stop at 92. Anything with a greater "start" value will start only after this script completes, but this script erroring out is considered a completion and will not prevent downstream scripts from running.

Please note this answer applies to CentOS 6 and earlier, not necessarily to CentOS 7. I haven't personally researched 7 sufficiently to answer this question for 7.

Solution 2:

You can also use the ifup-post option in centos:

/etc/sysconfig/network-scripts/ifup-post

Called when any network device EXCEPT a SLIP device comes up. Calls /etc/sysconfig/network-scripts/ifup-routes to bring up static routes that depend on that device. Calls /etc/sysconfig/network-scripts/ifup-aliases to bring up aliases for that device. Sets the hostname if it is not already set and a hostname can be found for the IP for that device. Sends SIGIO to any programs that have requested notification of network events.

Could be extended to fix up nameservice configuration, call arbitrary scripts, etc, as needed.

This script runs and after the above ( ifup-route and ifup-aliases )it looks for ifup-local

if [ -x /sbin/ifup-local ]; then
   /sbin/ifup-local ${DEVICE}
fi

So you can create this file and make sure it calls iptables again for example using iptables-restore: 

iptables-restore < /etc/sysconfig/iptables

Solution 3:

A little addendum: to ensure the needed rules will be there next time you boot the server, save it with

sudo sh -c "iptables-save > /etc/iptables.rules"

Related

How to properly add .NET assemblies to Powershell session?
Outgrowing cron: what's the next scheduler? [closed]
Dovecot vs Courier vs Cyrus [closed]
SSH: Two Factor Authentication
Which is better image format, raw or qcow2, to use as a baseimage for other VMs?
Barriers to IPv6 deployment: addressing
Does btrfs have an efficient way to compare snapshots?
The XFS filesystem is broken in RHEL/CentOS 6.x - What can I do about it?
How do you check if a hard drive was encrypted with software or hardware when using BitLocker?
NGINX add_header, adding multiple headers
SSH public key auth fails when UsePAM is set to "no"
Difference between iptables -A and -I option